@cyclonedx/cdxgen 9.1.0 → 9.2.0

package/README.md

@@ -8,7 +8,7 @@ When used with plugins, cdxgen could generate an SBoM for Linux docker images an
 
 NOTE:
 
-CycloneDX 1.5 specification is brand new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility.
+CycloneDX 1.5 specification is brand new and unsupported by many downstream tools. Use version 8.6.0 for 1.4 compatibility or pass the argument `--spec-version 1.4`.
 
 ## Supported languages and package format
 
@@ -80,7 +80,7 @@ For go, `go mod why` command is used to identify required packages. For php, com
 ```shell
 sudo npm install -g @cyclonedx/cdxgen
 
-# For CycloneDX 1.4 compatibility use version 8.6.0
+# For CycloneDX 1.4 compatibility use version 8.6.0 or pass the argument `--spec-version 1.4`
 sudo npm install -g @cyclonedx/cdxgen@8.6.0
 ```
 
@@ -150,8 +150,10 @@ Options:
                                cts. Defaults to true but disabled for containers
                                 and oci scans. Use --no-install-deps to disable
                                this feature.           [boolean] [default: true]
-      --validate               Validate the generated SBoM using json schema.
-                                                      [boolean] [default: false]
+      --validate               Validate the generated SBoM using json schema. De
+                               faults to true.         [boolean] [default: true]
+      --spec-version           CycloneDX Specification version to use. Defaults
+                               to 1.5                           [default: "1.5"]
       --version                Show version number                     [boolean]
   -h                           Show help                               [boolean]
 ```
@@ -182,6 +184,12 @@ To recursively generate a single BoM for all languages pass `-r` argument.
 cdxgen -r -o bom.json
 ```
 
+To generate SBoM for an older specification version such as 1.4, pass the version using the `--spec-version` argument.
+
+```shell
+cdxgen -r -o bom.json --spec-version 1.4
+```
+
 ## Universal SBoM
 
 By passing the type `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container and kubernetes manifests. The resulting SBoM could have over thousand components thus requiring additional triaging before use with traditional SCA tools.

package/bin/cdxgen.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
-import { createBom, submitBom, validateBom } from "../index.js";
+import { createBom, submitBom } from "../index.js";
+import { validateBom } from "../validator.js";
 import fs from "node:fs";
 import { tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
@@ -109,8 +110,13 @@ const args = yargs(hideBin(process.argv))
   })
   .option("validate", {
     type: "boolean",
-    default: false,
-    description: "Validate the generated SBoM using json schema."
+    default: true,
+    description:
+      "Validate the generated SBoM using json schema. Defaults to true."
+  })
+  .option("spec-version", {
+    description: "CycloneDX Specification version to use. Defaults to 1.5",
+    default: "1.5"
   })
   .scriptName("cdxgen")
   .version()
@@ -144,6 +150,11 @@ if (!args.projectName) {
   }
 }
 
+// To help dependency track users, we downgrade the spec version to 1.4 automatically
+if (args.serverUrl || args.apiKey) {
+  args.specVersion = 1.4;
+}
+
 /**
  * projectType: python, nodejs, java, golang
  * multiProject: Boolean to indicate monorepo or multi-module projects
@@ -165,7 +176,8 @@ const options = {
   projectVersion: args.projectVersion,
   server: args.server,
   serverHost: args.serverHost,
-  serverPort: args.serverPort
+  serverPort: args.serverPort,
+  specVersion: args.specVersion
 };
 
 /**

package/binary.js

@@ -3,6 +3,7 @@ import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
 import { join, dirname, basename } from "node:path";
 import { spawnSync } from "node:child_process";
 import { PackageURL } from "packageurl-js";
+import { DEBUG_MODE } from "./utils.js";
 
 import { fileURLToPath } from "node:url";
 import path from "node:path";
@@ -15,13 +16,6 @@ const dirName = import.meta ? path.dirname(fileURLToPath(url)) : __dirname;
 
 const isWin = _platform() === "win32";
 
-// Debug mode flag
-const DEBUG_MODE =
-  process.env.CDXGEN_DEBUG_MODE === "debug" ||
-  process.env.SCAN_DEBUG_MODE === "debug" ||
-  process.env.SHIFTLEFT_LOGGING_LEVEL === "debug" ||
-  process.env.NODE_ENV === "development";
-
 let platform = _platform();
 let extn = "";
 if (platform == "win32") {
@@ -388,7 +382,7 @@ export const getOSPackages = (src) => {
                     purlObj.qualifiers,
                     purlObj.subpath
                   ).toString();
-                  comp["bom-ref"] = comp.purl;
+                  comp["bom-ref"] = decodeURIComponent(comp.purl);
                 }
                 if (purlObj.type !== "none") {
                   allTypes.add(purlObj.type);
@@ -430,7 +424,7 @@ export const getOSPackages = (src) => {
                       purlObj.qualifiers,
                       purlObj.subpath
                     ).toString();
-                    comp["bom-ref"] = comp.purl;
+                    comp["bom-ref"] = decodeURIComponent(comp.purl);
                   }
                 }
               } catch (err) {
@@ -474,7 +468,7 @@ export const getOSPackages = (src) => {
                   purlObj.subpath
                 ).toString();
               }
-              newComp["bom-ref"] = newComp.purl;
+              newComp["bom-ref"] = decodeURIComponent(newComp.purl);
               pkgList.push(newComp);
             }
           }